I'm using the Universal Forwarder, and I have a requirement to log events under a specific Source Type using specified line breaks, while at the same time sending some events to the nullQueue. From what I understand, as I'm using the Universal Forwarder, I should be configuring my Splunk server instance to parse my logs.
On disk, the log is formatted as PSV, so I cloned this Source Type and renamed it. The only advanced settings that I added are as follows -
> LINE_BREAKER = (\r\n)> TRANSFORMS-set = setnull_CheckLive
After doing this, I noticed that nothing was getting logged, so I removed the advanced setting for `TRANSFORMS-set` and tried again. This time I did see logging, but it was not as expected; rather than each event being logged separately, a whole bunch were logged together, suggesting that my `LINE_BREAKER` advanced setting was being ignored.
Upon further investigation, I've found that whenever I add the `LINE_BREAKER` advanced setting, the default setting `SHOULD_LINEMERGE` is set to `true` and I'm **unable to amend that value** (whenever I change it and click "Save", it just changes back). This is odd because in the docs it explicitly states the following -
> When using LINE_BREAKER to delimit events, SHOULD_LINEMERGE should be set to false, to ensure no further combination of delimited events occurs.
Please note I'm unable to access the server that hosts the splunk instance, so I can't provide an extract from **props.conf**, and because I'm new, I'm not allowed to upload a screen shot of the settings from the Splunk console.
I've found some other answers that address this issue, but none with an excepted answer and sadly none that are of help regarding my issue.
Is anyone able to suggest what may be going wrong here? I'm happy to provide more information if required.
Please note that I did try to include some links in here, but it seems that I'm not allowed to do that either.
Thanks,
David
↧